By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

in bitcoin mining equipment. How does it work? Could something like this happen on enterprise networks? How can you scan for this type of thing?

The popular bitcoin mining provider Bitmain Technologies recently came under fire for a supposed backdoor into the firmware of its popular cryptocurrency generating miner hardware. The vulnerability was aptly named Antbleed, after a combination of the Antminer models and other vulnerabilities, such as Heartbleed, which enable the leakage of data.

It's estimated that Bitmain has around 70% of the market when it comes to bitcoin mining, and with this vulnerability present in the firmware of the majority of their systems, there's concern among the bitcoin industry that Bitmain was looking to create device relationship management, or even to remotely monitor its customers.

Within the firmware of the Bitmain systems is a hardcoded domain that reaches out to auth.minerlink.com and checks in every couple minutes, with the longest timeframe being 11 minutes between callouts. When this callout occurs, it sends the MAC, IP address and even the serial number of the device to the site, and if it can't connect to the domain, the equipment stops mining. This is a privacy concern, since it enables personal information -- maybe even the location of the device based off of the IP address -- to a vendor that doesn't need this data.

The connection itself is an outbound connection, and it's difficult to stop without firewalling particular source addresses beforehand. Many privacy advocates were rightfully concerned with Bitmain potentially monitoring its clients.

Another security issue with this callout is its unauthenticated nature, which leaves the service completely open to domain name system hijacking or man-in-the-middle attacks. If this attack were to occur, or even a distributed denial-of-service attack on the hardcoded site, it could stop the functionality of mining operations for close to 70% of bitcoin miners.

In order to stop this from occurring, but to still have the functionality to continue mining, miners have gone through the effort to create custom entries in their localhost files to point 127.0.0.1 to auth.minerlink.com. This gives the system local domain resolution, but restricts it from sending information or shutting down the application.

After seeing the hysteria around Antbleed, Bitmain wrote a blog post explaining the reasoning for this system callout. It explained that this feature was going to be introduced as a way for customers to monitor equipment, which many times is hosted outside of their premise, and to shutdown miners that might have been stolen or hijacked. It gives multiple examples of Antminers being withheld from owners or being hijacked.

According to Bitmain's blog post, the feature was intended to give owners the capability to shut down systems over which they've lost control. It was, however, never fully developed, and was left within the code, which was open source and found by a researcher. It took steps to remediate all the firmware of the affected products and to update all the affected firmware that removes the feature.

Firmware hacks are nothing new, and both Cisco and Juniper have had malicious firmware exploits on their equipment. It's still up for debate, but the Antbleed issue doesn't seem to be malicious, just poor hygiene. Protecting against these attacks is incredibly difficult, and bringing in a behavior-based understanding of your network and callouts with proper segmentation and firewalling are the only options for preventing data theft.

Even with this in place, detection can be incredibly difficult to pinpoint. Following proper security hygiene across the board can go a long way in protecting against these types of threats.

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy